Does Amcache record DLLs?

Yes, on Windows 10 build 1709 and later. Root\InventoryApplicationFile records both EXEs and DLLs that the appraiser classifies as PE files, with the same schema for both: full path, SHA-1 of the first 31 MiB, publisher, version, link date, ProgramId, and KeyLastWriteTimestamp.

Pre-1709 builds used the legacy Root\File and Root\Programs schema. DLL coverage there was sparse and inconsistent. If you are working a modern Windows 10 or 11 case, assume DLL coverage.

Finding DLLs in the CSV#

Import-Csv .\HOST_amcache_UnassociatedFileEntries.csv |
  Where-Object { $_.Name -like '*.dll' } |
  Select FullPath, Hash, KeyLastWriteTimestamp, Publisher

Or filter by BinaryType (pe32, pe64) combined with the .dll extension.

Per-process DLL loads vs Amcache DLL records#

These are very different signals. Do not conflate them.

Amcache DLL record Sysmon 7 (Image Loaded)
Triggered by Appraiser inventory pass Each load of the DLL by any process
Frequency Roughly daily Real-time
Records process context No Yes
Records load time Inventory time only Load time per process
Cross-process visibility No Yes

For "which process loaded which DLL", Sysmon 7 is the right artefact. For "was this DLL ever present on this host", Amcache wins. Joining Amcache Hash to Sysmon 7 Hashes gives the full picture: the DLL exists on disk and these processes loaded it on these dates.

DLL-side attacks Amcache catches#

  • DLL sideloading. Attacker DLL alongside a legitimate EXE that loads it. Shows up under an unusual path with empty Publisher in *_UnassociatedFileEntries.csv.
  • Hijacked system DLLs. Same FullPath appearing twice with different Hash values across two KeyLastWriteTimestamp moments. Binary at that path changed between the two. Strong replacement signal.
  • Reflective load decoys. The on-disk decoy DLL shows up in Amcache. The actual reflected-in-memory variant does not. Sysmon 7 catches the load itself.

For the full DLL-bearing investigation flow, see Hunting commodity malware with Amcache.

What Amcache won't catch#

  • DLLs loaded purely from memory. Cobalt Strike, Sliver, Metasploit reflective loaders. The bytes never live on disk for the appraiser to see.
  • DLLs in paths outside the appraiser's scan scope.
  • Per-process load context.

Further reading#

  • Microsoft Sysmon documentation on Event ID 7.
  • The DLL sideloading taxonomy maintained by HijackLibs (hijacklibs.net).

Related posts

  • Why is my Amcache.hve empty?

    Three causes in order of frequency: appraiser disabled, host freshly imaged, or you're on a Server where the cadence is naturally slow. Tampering is a distant fourth.

  • Where is the Amcache registry key?

    Amcache is its own hive file, not a key under HKLM. Loaded on demand by the appraiser. Mounts at HKLM\Amcache when active.

  • What does Amcache.hve contain?

    Inventory records for every PE, driver, application, and connected device the Compatibility Appraiser has seen. SHA-1, full path, publisher, and timestamps per entry.

  • What's a .pf file vs an Amcache entry?

    .pf is execution proof with run times. Amcache is presence with hash and metadata. Same binary in both, only one, or neither, and which combination it is matters.

Back to all posts